You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: leware
leware Author
User level: Level 1
0 points

LAN and WAN share the same MAC address -- could this be a security issue?

When I bought the AEBS(n), I was a bit surprised to see only one ethernet MAC address listed (on bottom of unit, or was it in config utility?), in addition to wireless MAC. My main router has two ethernet MACs.

So last nite, I investigated. I confirmed my suspicion that both the WAN port and the LAN ports share the same MAC address! My setup has the AEBS WAN port plugged into my home LAN's main router, and a Linux machine plugged into a LAN port of the AEBS.

View of AEBS WAN side (from main router at 192.168.1.1)

ii# arp
Seconds IP Address MAC Address
734 66.130.224.1 001120A87AF5 -- ISP router
789 192.168.1.21 0016CBC430A6 -- AEBS WAN port
28 192.168.1.33 0010DC47DC53 -- home PC
824 192.168.1.73 00065BB2F295 -- work PC

View of AEBS LAN side (from a Linux box at 10.0.1.41)

root@LKG7CAE25 # cat /proc/net/arp
IP address HW type Flags HW address Mask Device
10.0.1.1 0x1 0x2 00:16:CB:C4:30:A6 * eth0

10.0.1.1 on the LAN side of AEBS and 192.168.1.21 on the WAN side of the AEBS both use the same MAC address, 00:16:CB:C4:30:A6.

I tried to provoke some leakage between the two sides (for example with broadcast packets), but haven't been able to do it so yet. Perhaps the switch in front of the eth MAC has enough smarts to keep the two subnets separate? Still it sort of worries me, if I used the AEBS as my only router, that both WAN and LAN go thru the same ethernet MAC (same h/w). I browsed here but found no discussion on this.

Comments anyone?

N/A, Windows XP

Posted on May 10, 2007 10:57 AM

Reply
6 replies
User profile for user: Duane
Duane
User level: Level 10
124,277 points

May 10, 2007 2:13 PM in response to leware

That is interesting...

Even though they have the same MAC address doesn't mean that they are physically the same device or same connection.

Since they are on different subnets it shouldn't pose a problem. Even considering packet routing, etc. it shouldn't be a problem.

It may be Apple's way of conserving valuable MAC addresses.

Perhaps someone else has some other information/observations.
Reply
User profile for user: Kevin Herrboldt
Kevin Herrboldt
User level: Level 1
65 points

May 10, 2007 2:41 PM in response to leware

This shouldn't be an issue at all. Think of other routers with MAC address cloning—cloning the MAC address of your computer on the WAN side of a router creates the same situation you're seeing.

MAC stands for "media access control" and a MAC address is a unique identifier on the physical network. This is why there are separate MAC addresses for ethernet and wireless, they are physically different networks. In the case of the WAN/LAN, both are ethernet-type networks but are physically distinct (this is the purpose of a router like the AEBS), so having the same MAC address on both sides won't cause any sort of collision nor should it be possible to leak across networks. MAC addresses can't be used for routing beyond the physical network.


MacBook Pro 2GHz Core Duo 15" Mac OS X (10.4.9)
Reply
User profile for user: leware
leware Author
User level: Level 1
0 points

May 10, 2007 3:00 PM in response to Duane

Even though they have the same MAC address doesn't
mean that they are physically the same device or same
connection.
...
It may be Apple's way of conserving valuable MAC
addresses.


Interesting idea. Since no one would ever connect the WAN port to the LAN port, I suppose both can use the same MAC address even if they are different H/W. Would be the first time I see this (not that I have seen that many devices, but still).
Reply
User profile for user: leware
leware Author
User level: Level 1
0 points

May 10, 2007 3:04 PM in response to Kevin Herrboldt

.... This is why there are separate MAC addresses
for ethernet and wireless, they are physically
different networks. In the case of the WAN/LAN, both
are ethernet-type networks but are physically
distinct (this is the purpose of a router like the
AEBS), so having the same MAC address on both sides
won't cause any sort of collision nor should it be
possible to leak across networks. MAC addresses can't
be used for routing beyond the physical network.


If it is indeed two different NICs sharing a single MAC, then indeed it is not an issue as you would never want to connect these two NICs together. But is it really two NICs?
My worry is that these two subnets are on the same physical network, with some magic going on to keep them separate anyway. Do we have some picture of AEBS internals? Maybe that would answer the question...
Reply
User profile for user: Peter John Hill
Peter John Hill
User level: Level 1
65 points

May 10, 2007 4:28 PM in response to leware

Some high end Cisco routers will use the same mac address for every ip interface. This is not a problem. This is not a security issue. This does not mean that there is one broadcast domain shared by all the interfaces, like on a hub or switch.

All the box is doing is using the same mac address, which is not a physical think like a network interface card, to respond to arp requests on all of its interfaces.

If you are not using bridging mode, you can't arp for the wan ip address on the lan interface and vice versa. Even if you statically configure your computer with a lan ip address and connect it to the wan interface, you will not be able to ping the airports wan interface.

I have been doing network engineering for a bit over a decade and I don't see any inherent security risks that could be inferred from this.
Reply

LAN and WAN share the same MAC address -- could this be a security issue?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up